I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

goes on in IT shops both big and small -- creating possible SQL Server performance issues for Microsoft users.

Databases, including SQL Server, could be affected by the architectural flaws in chips widely reported at the start of the year. At risk are processors from Intel and others that use creative design to boost system performance.

As described by Google Project Zero, both Meltdown and Spectre access on-chip cache memory to create vulnerable side-channels of communication. Spectre can inject commands that divulge data. Meltdown, using simpler operations, can monitor data in memory.

In both cases, malicious code would exploit chip-level speculative code execution techniques -- ones used in many types of systems, including relational databases.

Early indications from Microsoft and others are that software patches and workarounds designed to counter Meltdown and Spectre can incur SQL Server performance issues. There are no signs of actual hacks yet, but database administrators (DBAs) have been advised to update server-side software. The fixes may lead to added processing overhead, however.

Patches and processing overhead

When DBAs apply updates to guard against the Meltdown and Spectre vulnerabilities, they'll have to judge for themselves how the added overhead of patches may affect their workloads. Performance degradation covering a variety of database, virtual machine, operating system and hardware combinations has been cited in some user blog entries.

But early estimates should be considered critically, according to Thomas LaRock, who serves as "head geek" at technology infrastructure management software provider SolarWinds, based in Austin, Texas. It's still early in terms of finding clarity when it comes to judging SQL Server performance issues that may be incurred by the recent Microsoft patches and workarounds to counter the two vulnerabilities, LaRock said.

"When you factor in the number of patches involved with Meltdown [and] Spectre, it's easy to understand why some people may be reporting a 30% performance hit," he said. "You could find hundreds of such claims on Reddit right now, many of them without any understanding of why such a performance hit might have been possible."

Calling 'Captain Edgecase'

Workloads, hardware, applications and code are among the variables that contribute to different performance measures. This is not to mention the human element.

"There's always one 'Captain Edgecase' in the crowd that wants everyone to know they found something different than anyone else," LaRock mused.

While waiting for chipmakers to create their own patches for Meltdown and Spectre, IT pros will have to look to patch applications not just at the database level, but at the operating system and browser levels, too.

La Rock said the basic message boils down to this: "Update all things."

Meltdown/Spectre lesson: Assess, test

Still, it's important for everyone to be able to assess their risk properly before applying patches, according to LaRock, who is a Microsoft MVP.

"To me, any risk is too much risk, and I would want to patch. But I wouldn't do so without knowing the impact, especially for mission-critical servers," he said.

"There are always going to be vulnerabilities and news about vulnerabilities. So, you have to have an environment for testing patches before rolling out changes into production," said Bellavance, who is also a Microsoft MVP.

Tests that Microsoft ran to measure the performance impact of fixes required in certain application scenarios found "significant degradation" on some SQL Server workloads, it said. The company recommended that users do their own performance checks before deploying the fixes. "If the performance impact of enabling these features is too high for an existing application, customers can consider whether isolating SQL Server from untrusted code running on the same machine is a better mitigation," it added.

Microsoft suggested that all users install updated versions of SQL Server and Windows Server to help mitigate the threats; doing so "should have negligible to minimal performance impact [on] existing applications," it said. Even in that case, though, it recommended that users first validate whether the performance of their SQL Server systems would be affected.

If you didn't follow best practices for high availability, you may have had a performance hit.
Ned Bellavancedirector of cloud solutions at Anexinet

Moving databases to the cloud doesn't relieve a DBA's responsibility for faults in system settings, Bellavance said. That is especially true in the face of vulnerabilities like Meltdown, which can exploit cloud environments that share resources like databases across virtual machines. The cloud provider can be expected to roll out fixes, but databases have to be configured to anticipate such disruptions in the status quo.

Microsoft was quick to roll out patches for SQL Server databases on its cloud, but some users experienced downtime, Bellavance said.

"People were impacted because Microsoft had to do cloud maintenance. If you didn't follow best practices for high availability, you may have had a performance hit," he said. Now is as good a time as any to review such practices, Bellavance advised.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.